CHAPTER 2 INTERNAL AUDIT AND ORGANIZATIONAL … Documents/Chapter... · 2012-08-13 · The early internal audit literature, e.g., Sawyer, often portrayed internal auditors as the

_______________________ Chapter 2: Internal Audit and Organizational Governance 25

The Institute of Internal Auditors Research Foundation

CHAPTER 2INTERNAL AUDIT AND

ORGANIZATIONAL GOVERNANCE

Dana R. HermansonLarry E. Rittenberg

DisclosureCopyright © 2003 by The Institute of Internal Auditors, 247 Maitland Avenue, Altamonte Springs, Florida32701-4201. All rights reserved. Printed in the United States of America. No part of this publication may bereproduced, stored in a retrieval system, or transmitted in any form by any means — electronic, mechanical,photocopying, recording, or otherwise — without prior written permission of the publisher.

The IIA publishes this document for informational and educational purposes. This document is intendedto provide information, but is not a substitute for legal or accounting advice. The IIA does not provide suchadvice and makes no warranty as to any legal or accounting results through its publication of this document.When legal or accounting issues arise, professional assistance should be sought and retained.

The Professional Practices Framework for Internal Auditing (PPF) was designed by The IIA Board of Directors’Guidance Task Force to appropriately organize the full range of existing and developing practice guidancefor the profession. Based on the definition of internal auditing, the PPF comprises Ethics and Standards,Practice Advisories, and Development and Practice Aids, and paves the way to world-class internal auditing.

This guidance fits into the Framework under the heading Development and Practice Aids.

ISBN 0-89413-498-102404 01/03First Printing

26 Research Opportunities in Internal Auditing _________________________________


I. Introduction

We believe that any examination of research opportunities in internal auditing must firstconsider the broader context in which the internal audit function (IAF) operates. This chapterfocuses primarily on the role of the IAF in organizational governance. Specifically, we:

1. Describe the meaning of “organizational governance” and present a conceptual modelfor effective organizational governance for both profit seeking and not-for-profitorganizations.

2. Discuss the demands for “better” governance, including recent demands to improveorganizational governance and accountability.

3. Review selected key issues related to boards and audit committees.4. Consider the role of the IAF in the governance structure.5. Offer perspectives on research to address organizational governance and the IAF.

II. What is Organizational Governance?

Organizational Governance Defined

Corporate or organizational governance is a broad concept that has been used by regulators,investors, accountants, and boards of directors. The importance of effective corporategovernance has been underscored by Arthur Levitt, former SEC chairman, who describedcorporate governance as processes “indispensable to effective market discipline” (Levitt,1999). He defined corporate governance as “the link between a company’s management,directors, and its financial reporting system.” Levitt further explained that governance that“does not promote a culture of strong independent oversight, risks [the organization’s] verystability and future health” (Levitt, 1999). Levitt’s definition of corporate governance clearlyreflects his regulatory position and concern about financial reporting.

Monks and Minow (2001) define corporate governance as the “relationship among variousparticipants in determining the direction and performance of corporations.” They identifythe primary participants as the shareowners, management, and the board of directors.

The Organisation for Economic Co-operation and Development (OECD, 1999, 1) developeda broader definition:

Corporate governance…involves a set of relationships between a company’smanagement, its board, its shareholders, and other stakeholders. Corporategovernance also provides the structure through which the objectives of the company



are set, and the means of attaining those objectives and monitoring performance aredetermined. Good corporate governance should provide proper incentives for theboard and management to pursue objectives that are in the interests of the companyand shareholders and should facilitate effective monitoring…

The above definition is broader and introduces the concepts of goal congruence, incentives,monitoring, and control. Governance principles and internal audit activity also apply togovernmental and not-for-profit activities. Citizens, for example, desire effective governancefrom their elected officials. Not-for-profit entities require effective governance over theresources that are entrusted to them as they seek to address societal needs. These conceptsare partially, but not fully, embodied within the framework of stakeholders and control.

We also recognize that effective governance approaches may be applied in different waysacross different cultures. Therefore, our approach to organizational governance examinesthe nature of governance across diverse types of organizations and cultural settings. Suchdiversity leads to rich avenues of research. It also requires a broader definition of“organizational governance.”

Exhibit 2-1 portrays the key elements of organizational governance — monitoring, riskmanagement, assurance, control, goals, accountability, recognition of stakeholders, andstewardship. One way to link these terms and define organizational governance is to expandThe IIA’s governance definition as follows:

Governance processes deal with the procedures utilized by the representatives of theorganization’s stakeholders to provide oversight of risk and control processesadministered by management. The monitoring of organizational risks and theassurance that controls adequately mitigate those risks both contribute directly tothe achievement of organizational goals and the preservation of organizational value.Those performing governance activities are accountable to the organization’sstakeholders for effective stewardship.

The specific stakeholders and their means of monitoring and controlling organizations toachieve mutually agreed upon goals may vary considerably. We suggest that many of theseareas are ripe for research, ranging in topic content from the ability of various parties toexercise influence in the governing process to the potential for the IAF to positively contributeto the governing process.



Exh

ibit

2-1

Org

aniz

atio

nal G

over

nanc

e

Ben

efic

iari

es o

f O

rgan

izat

ion

al G

over

nan

ceS

tock

ho

lder

sIn

vest

ors

Len

der

sS

up

plie

rsC

itiz

ens

Ch

arit

able

Co

ntr

ibu

tors

Th

e B

road

er P

ub

lic

Par

tici

pan

ts

Man

agem

ent

Bo

ard

of

Dir

ecto

rsA

ud

it C

om

mit

tee

Inte

rnal

an

d E

xter

nal

Au

dit

ors

Reg

ula

tors

/Ass

oci

atio

ns

Act

ivit

ies

Mo

nit

ori

ng

of

Ris

ks

Ass

ura

nce

Reg

ard

ing

Co

ntr

ols

Go

als

Ach

ieve

men

t o

fO

rgan

izat

ion

al G

oal

s an

dP

rese

rvat

ion

of V

alu

e

Acc

ou

nta

bili

ty

Acc

ou

nta

ble

to

Sta

keh

old

ers

for

Eff

ecti

veS

tew

ard

ship



Research Questions

Several possible research questions relate to this overall definition of organizationalgovernance:

1. Are there parameters of governance that may differ across cultures or across nationsthat are not considered in the above model?

2. Can we develop measures of effective governance that can be applied across cultures,countries, and industries?

3. Can we identify the primary attributes of effective governance and its effect onvarious performance measures such as stock price movements or governmentalefficiency?

4. What is the impact of regulation on the nature of governance processes and the roleof the IAF in those processes?

5. Various reports, e.g., Cadbury, have called for governance reports on the effectivenessof risk management. Do mandated public reports improve governance? Has thenature of the IAF changed in countries that mandate specific governance reports?How does organizational governance differ in countries that have mandatedgovernance reports from those that have not issued similar mandates?

6. Recent legislation in the U.S. has called for reports on the effectiveness of internalcontrol as part of a normal reporting process on the effectiveness of governance.What models of internal control reporting best contribute to the effectiveness oforganizational governance?

7. What are the major determinants of an effective governance system, and how dothese determinants vary across types of organizations or cultures? What culturaldifferences most affect the nature of organizational governance?

8. Many organizations are multinational. Are governance processes, including processesfor risk analysis and control, different in multinational companies than they are forcompanies that are domiciled within a unique culture (or country)? How do theydiffer and what works best?



9. Are there significant differences in the identification of, and accountability to, variousstakeholders that may vary by type of organization, culture, organizational objectives,and so forth? How do such differences affect the nature of organizational governance?

10. What is the demand for governance reports? What kind of a report would meet theusers’ needs for governance and accountability? Can we develop such a modelconceptually or can we test one empirically through experimental markets research?How would these reports differ from evolving reports on internal control?

11. Under what circumstances can an audit committee or other governing structure usethe work of an internal auditor to provide assurances on governance to outside parties,e.g., shareholders? Under what circumstances would internal auditors have sufficientcredibility to add assurances to reports on effective governance?

12. How does an organization most effectively communicate information about theeffectiveness of its governance processes to various stakeholders? Should such reportsbe prepared by independent assurance functions (independent public accountingfirms or internal audit functions), and, if not, are such reports improved by the additionof an assurance function? Does the nature of such assurances differ based on whetherthe internal audit function is outsourced to an independent outside accounting firm,or whether the internal audit function is housed within the organization?

Parties Involved in Organizational Governance

As noted in Exhibit 2-1, organizational governance begins with a broad range of beneficiaries(usually referred to as stakeholders) who contribute resources to an organization (investments,taxes, charitable contributions, etc.). These parties are the direct or indirect beneficiaries ofthe organizational unit that needs to be governed.

Several parties participate in organizational governance — from management and the boardto the internal and external auditors. In some cases, regulators or professional associationsalso contribute to the process. Exhibit 2-2 expands Exhibit 2-1 by depicting the variousrelationships among the parties that are active participants in organizational governance.



Exhibit 2-2Parties Involved in Organizational Governance

Stakeholders — As shown in Exhibit 2-2, the stakeholders (owners or contributors) delegateauthority to the board of directors, which in turn appoints a management team to control theorganization to achieve agreed-upon goals within a framework of acceptable organizationalbehavior. Regulators, associations, and the legal environment also influence the nature ofacceptable organizational behavior. Regulators serve a prominent role in overseeing manyindustries such as financial services, health care, and transportation where there is a strongpublic safety factor to be considered. Professional associations also may influenceorganizational governance either directly through recommendations that are generallyaccepted or indirectly through development of professional standards, codes of ethics, andeducational programs. Legal considerations (liability avoidance, criminal penalties) alsoaffect governance strategies.

Stockholders/Public or

CharitableContributors

Boards of Directors/Audit Committees

Management

LawEnforcement

IndependentPublic

Accountants

InternalAuditors

Regulators



Internal Audit Function — The internal audit function plays a unique role in the governanceprocess; indeed it is a role that is being widely debated. We believe the outcome of thisdebate will dramatically influence the nature of the internal audit activity in the years tocome. We also believe that researchers can contribute to this debate through a wide range ofresearch methodologies.

Management often calls upon internal auditors to help provide them with assurance that (a)risks are effectively identified and monitored, (b) organizational processes are effectivelycontrolled, and (c) organizational processes are efficient or effective. In this structure, theIAF plays a unique role. The early internal audit literature, e.g., Sawyer, often portrayedinternal auditors as the “eyes and ears of management.” As we note in other chapters, internalcontrol has taken on a broader meaning to include the crucial role played by top managementin setting the tone at the top. Thus, internal auditors may find themselves conflicted inhelping management to assess the effectiveness of their governance processes while reportingto the audit committee on the tone at the top. The internal audit function has evolved inmany organizations to a position where it is often called upon to take leadership in helpingthe organization implement, assess, or conceptualize risk management and control processeswithin an organization. In other words, internal audit has played an active role in implementingeffective governance and controls while being asked to assess the effectiveness ofmanagement’s control practices. To what extent would the provision of such services conflictwith the broader governance role?

Audit Committee — Recent legislation and stock exchange proposals on better corporategovernance have elevated the role of the audit committee (at least within the U.S. structure)to a preeminent role in monitoring and reporting on the effectiveness of corporate governance.This has led to various recommendations that the internal audit function report directly tothe audit committee, not to senior management. The recommendation may create tensionwith the more traditional role of internal audit acting as the “eyes and ears” of management.We believe the nature of that tension and the impact of such tension on both the nature of theinternal audit activity and its contribution to the organization should be examined. Forexample, researchers should examine whether IAF activities focusing on audit committeeneeds (or equivalent on an international scale) create positive or negative tension with theIAF’s traditional roles in the risk and governance arena.

Management — Historically, management has clearly been the major driver of corporategovernance. Monks and Minow (2001) detail the historical evolution of the corporation andnote that “the shareholders who own the corporation are so diverse and widely dispersedthat it is difficult to characterize their relationship to the venture in terms of the traditionalowner” (p. 94). They also state that management “has every incentive to increase the numberof shareholders. It increases available capital and helps transferability by keeping the prices



of individual shares comparatively low” (p. 95). They argue that the sheer numbers workeffectively to rob shareholders of power. The recent push for improved governance structurescan be seen as a backlash to this concentration of power in the hands of management.

On the other hand, all organizational governance models recognize the central role ofmanagement as one of the drivers of organizational governance. By setting the tone at thetop (Treadway, 1987) and handling the day-to-day operations of the entity, management’sinfluence on the quality of governance is significant. Management is responsible formonitoring organizational risks and implementing controls to mitigate such risks. The specificroles of the board, audit committee, and the IAF are discussed in detail later in the chapter.All three parties focus on various dimensions of risk assessment and control. An overviewof the potential tensions that might exist in having the internal audit function serve twomasters is shown in Exhibit 2-3.

Exhibit 2-3Competing Demands on Internal Audit Function

Independent evaluation of controls.Assistance in preparing report on controls.Evaluation of efficiency of processes.Assistance in designing controls.Risk analysis.Risk assurance.Facilitation of risk and control self-assessment.

INTERNAL AUDIT FUNCTION

Assurances regarding controls, including an independent assessment of the tone at the top.Independent evaluation of accounting practices and processes,including financial reporting.Risk analysis primarily focused on internal accounting control and financial reporting.Fraud analysis and special investigations.

Management Requests of Internal Audit Function:

Audit Committee Requests of Internal Audit Function:



A brief examination of Exhibit 2-3 indicates significant differences in functions and skillsets required when trying to serve audit committee needs, as opposed to meeting the needsof strategic and operational management. Management wants the internal auditor to provideboth assurance and consulting based on broad operational skills that address risks, evaluatethe efficiency of operations, and stimulate organizational action. On the other hand, theaudit committee is more interested in assurance regarding controls.

Research Questions

The role of the IAF in organizational governance cannot be divorced from the reportingresponsibilities. The nature of the reporting responsibility raises a number of research issues:

1. Are there inherent conflicts in reporting responsibilities when internal auditors reportto both the audit committee and to various levels of management?

2. Are there differences in the nature of services performed and the perceived value ofservices that vary with internal audit’s primary reporting responsibility?

3. What kinds of safeguards need to be built into the IAF to ensure that internal auditingwill meet its external governance responsibilities?

4. To what extent are internal auditors involved in auditing the effectiveness of thegovernance structure of the organization? Does the internal audit role systematicallyvary with organizational characteristics?

5. Does an internal audit emphasis on meeting the needs of the audit committee lead toan increase in outsourcing of the internal audit function?

6. How do organizations assess the value of various internal audit activities?

7. How have budgetary control and resources expended on internal audit changedwith the increased governance requirements of stock exchanges and other regulatoryorganizations?

8. How does the nature of internal audit activities differ when the IAF’s primary reportingresponsibility is to senior management as opposed to the audit committee?



9. Is there an ideal reporting relationship for the IAF? What are the parameters of theideal reporting relationship, and what are the primary determinants of the idealreporting relationship?

Monitoring of Risks and Controls

Exhibits 2-1 and 2-4 identify the two fundamental governance activities for internal auditingas “monitoring risks” and providing “assurance regarding controls.” According to The IIA,“Risk is the probability that an event or action, or inaction, may adversely affect theorganization or activity under review.” In other words, it is the chance of something badhappening. Risk includes the opportunity cost associated with not taking action, as well asthe downside risk traditionally used in the risk literature. In the governance context, the keyactivity with respect to risk is to monitor it, including all the subsidiary steps of identifyingrisk, assessing the potential effect of the risk on the organization, determining a strategy toaddress the risks, and then monitoring the environment for new risks as well as monitoringthe existing risk strategy and attendant controls. Risk is inextricably linked to strategy.Assessing the risks inherent in new strategies and developing proper controls to mitigaterisks associated with a strategy are essential management activities.

Controls exist to address risks. For example, if there were no risk that assets would be stolen,there would not have been an emphasis in accounting systems on proper segregation ofduties. According to The IIA, “Control is any action taken by management to enhance thelikelihood that established objectives and goals will be achieved. Management plans,organizes, and directs the performance of sufficient actions to provide reasonable assurancethat objectives and goals will be achieved. Thus, control is the result of proper planning,organizing, and directing by management.” In the context of governance, the key is toensure that controls are in place to address key organizational risks. Management implementsthe controls, while other participants in governance play more of an oversight or assessmentrole.

Research Questions

Research questions related to risks and controls are developed in more detail in separatechapters. Some of the research questions related to governance include:

1. What role should the IAF play in risk management? How do we determine the optimalrisk management role for the IAF within the governance structure?



Exhibit 2-4Monitoring of Risks and Controls

Monitoring of Risks/Risk Management

Systematically identifying risks.Facilitating risk assessment processes.Evaluating the risk management process.Measuring and monitoring performance.Internally communicating and taking correctiveaction.

PROCESS ORIENTATION - RISKS

Internal Audit

ASSURANCE ORIENTATION - CONTROLS

Assurance Regarding Controls

Evaluating the tone at the top.Systematically assessing control environment.Testing the effectiveness of controls.Evaluating the effectiveness of management'smonitoring processes.Reporting assessments to management, auditcommittee, and designated external parties.



2. Under what circumstances can management use the work of an internal auditor toprovide assurances on risk or control to outside parties, e.g., corporate trading partnersusing e-commerce or joint ventures?

3. Internal auditors have often been viewed as control experts. Under what circumstanceswould internal auditors have sufficient independence and credibility to provide reportsto external parties on the effectiveness of internal control? Is there a difference inwhether the IAF is outsourced or in-house?

4. What role should the IAF play in control self-assessment and control assessment?How do we determine the optimal role for the IAF within the governance structureregarding effective control?

5. An important role of the IAF as part of a control system is effective monitoring.What is “effective monitoring”? What are the conflicts between effective monitoringand the provision of other internal audit services such as control self-assessment,risk self-assessment, or providing recommendations to improve operatingeffectiveness?

Goals and Accountability

As noted above, effective governance requires sufficient resources to monitor both risksand controls. These activities are directed toward helping the organization to achieve itsgoals or objectives, per The IIA, “the broadest statements of what the organization choosesto accomplish.” If an organization suffers a major internal control failure (e.g., massivefraud, etc.), then the likelihood of achieving its goals is greatly diminished. Effectivegovernance activities are designed to preserve the organization’s value. According to TheIIA, “Organizations exist to create value or benefit to their owners, other stakeholders,customers, and clients. This concept provides purpose for their existence.”

The final element of organizational governance is accountability. The participants inorganizational governance are accountable to the organization’s stakeholders for effectivestewardship. Because the stakeholders cannot directly perform monitoring and assuranceactivities themselves, they rely on the parties in Exhibits 2-1 and 2-2.



Research Questions

Research issues related to goals and accountability include:

1. Is the existence of an effective IAF associated with superior organizationalperformance? If so, are there objective measures of internal audit effectiveness?

2. Is the existence of an effective IAF associated with reduced incidence of controlfailures? If so, which types of control failures?

3. What type of internal audit structure enhances the accountability of governmentalentities?

4. How can the internal audit function best increase accountability to variousstakeholders?

5. Do organizations with more specific quantitative goals/objectives perform betterthan those with less measurable goals? What role does internal audit play in helpingdefine and assess attainment of measurable objectives?

III. Demands for Better Governance

Key Factors Driving Demand

Over the past 10 years, there has been a loud call for “better” governance of organizations.This call began with a focus on major public companies and has expanded to cover a broadrange of organizations.

As indicated in Exhibit 2-5, at least three key factors underlie the call for improved governance— organizational disasters, changes in share ownership patterns, and the legal environment.First, high-profile organizational disasters continue to occur with alarming regularity (e.g.,financial frauds, bankruptcies, etc.), and these disasters often are accompanied by questionslike, “Where was the board?,” “Where were the auditors?,” and “Where were the regulators?”From the savings and loan crisis to massive accounting frauds, such as Phar-Mor, Cendant,MicroStrategy, and Waste Management, to current disasters such as Enron and WorldCom,the quality of organizational governance continues to be questioned. In addition, researchon such disasters, particularly financial fraud, consistently documents an association betweenweak governance (e.g., less independent boards, lower quality audit committees, or theabsence of an IAF) and the incidence of problems (e.g., Abbott et al., 2000; Beasley, 1996;



Beasley et al., 2000; Dechow et al., 1996; McMullen, 1996; McMullen and Raghunandan,1996).

Exhibit 2-5Demands for Better Governance

Second, investors and shareholder activists have been much more vocal in recent yearsregarding governance issues. As share ownership of U.S. public companies has becomemore concentrated in the hands of institutional investors, such as TIAA-CREF and CalPERS,these institutions have become more inclined to assert their power over boards andmanagement — often calling for changes in board characteristics or other governancemechanisms. When share ownership was more diffused across individual investors, therewas much less ability for investors to pressure companies to meet their governance demands.The spirit of many recent calls for improved governance is that better governance should (a)reduce the organization’s risks, (b) reduce the organization’s cost of capital, and (c) ultimatelyincrease shareholder value.1

Finally, the legal environment has raised the stakes for directors and officers of publiccompanies. According to the Stanford Law School Securities Class Action Clearinghouse,several measures of securities class action activity have risen dramatically, particularly in2001 (see http://securities.stanford.edu/). Such increases reflect the greater legal risk ofcorporate director service, as well as the need for ever-improved governance practices. Insuch an environment, directors’ and officers’ (D&O) liability insurers also are pushing forgovernance improvements so as to reduce their own risk.

Key Factors Underlying Call for Improved Governance

Changes in Share Ownership Patterns

(Institutional Investors)

Legal Environment(Class Action Suits)

ContinuingOrganizational Disasters

(Fraud, Bankrupty, etc.)



Groups Calling for Improved Governance

Largely in response to the three factors above, many groups have issued calls for improvedgovernance. Selected reports and efforts are discussed below, but this sample is by no meansexhaustive. Readers should refer to the World Bank Web site (http://www.worldbank.org/html/fpd/privatesector/cg/codes.htm) for an excellent listing of major governance reportssorted by country.

Treadway/COSO — The 1987 Report of the National Commission on Fraudulent FinancialReporting (Treadway, 1987) made numerous recommendations designed to reduce financialstatement fraud. The recommendations are applicable to public companies, external auditors,the SEC and other regulators, and accounting educators. To improve both control andgovernance, the report called for a sound tone at the top of the organization, independentand effective audit committees, and careful audit committee oversight of both internal andexternal auditor independence (including the provision of consulting services to theorganization).

The sponsors of the Treadway Commission (called “COSO” for “Committee of SponsoringOrganizations”) followed the Treadway report with two additional governance-relatedpublications. Internal Control – Integrated Framework (COSO, 1992) provided “a standardagainst which businesses and other entities …can assess their control systems and determinehow to improve them.” The COSO internal control model focuses on controls to “promoteefficiency, reduce risk of asset loss, and help ensure the reliability of financial statementsand compliance with laws and regulations.” The COSO internal control model has beenwidely adopted in North America and has shaped directors’ and managers’ efforts to assessand mitigate risk. Other oversight groups in different countries, e.g., CoCo in Canada, Cadburyin the United Kingdom, or the initial King Report in South Africa, have adopted controlframeworks based on fundamental control objectives. While these approaches differ in somerespects, they each provide for a framework of increased control; most also provide a focuson risk and risk management.

In 1999, COSO published Fraudulent Financial Reporting: 1987-1997, An Analysis of U.S.Public Companies (Beasley et al., 1999). This study examined financial statement fraudcases over the 10 years since the Treadway report had been issued. Among the key findingsof the study were: (1) fraud appears to be concentrated among smaller public companies, (2)fraud cases typically involve the CEO and/or CFO of the company, (3) the boards and auditcommittees of companies cited for fraud appear to be extremely weak (lack of independence,expertise, and diligence), and (4) fraud often devastates the company (half of the companiesstudied failed within a few years after the fraud). The primary governance-related



recommendation of the study was that efforts to enhance audit committee composition andperformance should not exempt smaller public companies (e.g., on the basis of costconsiderations), but in fact should target such companies because of their prominent role infinancial fraud cases over the preceding decade.

COSO currently has another project underway, designed to develop a risk managementframework for use by managers and directors. The study is designed to take the COSOmodel to the next level by more explicitly recognizing that risk management is an importantprecursor to the implementation of any control framework.

Cadbury Report and Hampel Report — In the United Kingdom, many efforts have addressedgovernance issues. The Financial Aspects of Corporate Governance (Cadbury, 1992)developed recommendations “focused on the control and reporting functions of boards, andon the role of auditors” (para 1.2). A primary output of the Cadbury effort was the Code ofBest Practice — which ultimately was enforced by the London Stock Exchange. The threeunderlying elements of the Code were “openness, integrity, and accountability” (para 3.2).

The Committee on Corporate Governance (Hampel, 1998) focused its governancerecommendations on the “board’s first responsibility — to enhance the prosperity of thebusiness over time” (para 1.1). The Hampel committee reviewed prior governance reportsin the U.K. and offered its own views on certain issues. The specific recommendations ofHampel addressed directors, shareholders, and auditors. Particular emphasis was placed onestablishing principles that were consistent with maximizing the success of the organization.

NACD Blue Ribbon Commissions — The National Association of Corporate Directors (NACD)Blue Ribbon Commissions, which are formed generally on an annual basis, have addressedsuch issues as director professionalism, director compensation, audit committees, CEOsuccession, and strategy. The two reports most relevant to the current discussion are theReport of the NACD Blue Ribbon Commission on Director Professionalism (NACD, 2001)and the Report of the NACD Blue Ribbon Commission on Audit Committees (NACD, 2000a).The director professionalism report addressed such issues as director independence, over-commitment (e.g., how many boards is too many?), and responsibilities. The audit committeereport provided practical guidance for audit committees (e.g., audit committee composition,processes, legal liability, etc.) and is discussed in more detail later in the chapter.

CalPERS and TIAA-CREF — Two of the most vocal and progressive institutional investorsare CalPERS and TIAA-CREF, both pension funds. In 1998, CalPERS issued CorporateGovernance Principles & Guidelines (CalPERS, 1998). CalPERS stated that “the criteriacontained in both the principles and guidelines are important considerations for all companies



within the U.S. market” (p. 3). The primary focus of the CalPERS effort was on accountabilityin governance — as a result, board independence was the major theme of the report. CalPERSalso addressed such issues as board processes and evaluation, individual directorcharacteristics, and shareowner rights.

TIAA-CREF maintains its Policy Statement on Corporate Governance (2002) on its Website (http://www.tiaa-cref.org/) as an “evolving document.” TIAA-CREF addresses a widerange of governance issues including board composition and processes, shareholders’ rights,executive compensation, CEO performance evaluation, fiduciary oversight, and socialresponsibility.

Corporate Governance Center and The IIA — In response to the Enron disaster, manygroups have issued or reaffirmed calls for improved governance. For example, the CorporateGovernance Center (CGC) at Kennesaw State University and The IIA issued governance-related recommendations. In March 2002, the CGC issued 21st Century Governance Principlesfor U.S. Public Companies (CGC, 2002). The principles were issued to “advance the currentdialogue and to promote investor, stakeholder, and financial statement user interests.” The10 principles issued point to the importance of effective interaction among management,directors, and auditors, and they also directly call for all public companies to maintain aneffective, full-time IAF. The principles, which appear in Exhibit 2-6, also address suchgovernance elements as independence, expertise, leadership, and disclosure.

Exhibit 2-621st Century Governance Principles for U.S. Public Companies

1. Interaction — Sound governance requires effective interaction among the board,management, the external auditor, and the internal auditor.

2. Board Purpose — The board of directors should understand that its purpose isto protect the interests of the corporation’s stockholders, while considering theinterests of other stakeholders (e.g., creditors, employees, etc.).

3. Board Responsibilities — The board’s major areas of responsibility should bemonitoring the CEO, overseeing the corporation’s strategy, and monitoring risksand the corporation’s control system. Directors should employ healthy skepticismin meeting these responsibilities.



Exhibit 2-6 (Cont.)

4. Independence — The major stock exchanges should define an “independent”director as one who has no professional or personal ties (either current or former)to the corporation or its management other than service as a director. The vastmajority of the directors should be independent in both fact and appearance soas to promote arms-length oversight.

5. Expertise — The directors should possess relevant industry, company, functionalarea, and governance expertise. The directors should reflect a mix of backgroundsand perspectives. All directors should receive detailed orientation and continuingeducation to assure they achieve and maintain the necessary level of expertise.

6. Meetings and Information — The board should meet frequently for extendedperiods of time and should have access to the information and personnel it needsto perform its duties.

7. Leadership — The roles of board chair and CEO should be separate.

8. Disclosure — Proxy statements and other board communications should reflectboard activities and transactions (e.g., insider trades) in a transparent and timelymanner.

9. Committees — The nominating, compensation, and audit committees of theboard should be composed only of independent directors.

10. Internal Audit — All public companies should maintain an effective, full-timeinternal audit function that reports directly to the audit committee.

Source: The Corporate Governance Center (CGC, 2002), reprinted with permission.

In April 2002, The IIA (2002) made related recommendations to the New York StockExchange:

1. The major stock exchanges should “jointly issue a uniform set of corporategovernance principles for publicly held companies. Moreover, the board of directors



of public companies should be required to disclose in their annual reports the extentto which they are in compliance with those principles.” “While many models couldserve as the starting point for the development of sound corporate governanceprinciples, the 21st Century Governance Principles for U.S. Public Companies, recentlyissued by the Corporate Governance Center at Kennesaw State University in Kennesaw,Georgia, appear to The Institute to be particularly appropriate.”

2. “The boards of directors of all publicly held companies should be required to publiclydisclose an assessment of the effectiveness of internal controls within theirorganizations.”

3. “All publicly held companies should establish and maintain an independent, adequatelyresourced, and competently staffed IAF to provide management and the auditcommittee with ongoing assessments of the organization’s risk management processesand the accompanying system of internal control.”

New Federal Law and Exchange Listing Proposals — In mid 2002, in response to financialdisasters at Enron, WorldCom, Global Crossing, and many other companies, the Sarbanes-Oxley Act and new exchange listing proposals were passed to help restore investor confidence.Selected governance-related provisions of these developments are summarized in Exhibit 2-7 (see http://www.gcwf.com/newsletter/corp/020729/sarbanes_oxley_act.htm for an excellentsummary of Sarbanes-Oxley, http://www.nyse.com for the NYSE changes, and http://www.nasdaq.com for the NASDAQ changes).

Exhibit 2-7New Federal Law and Exchange Listing Proposals

Selected Provisions of Sarbanes-Oxley Act (www.gcfw.com):

• New oversight board for accounting profession.• Certifications by CEO and CFO regarding financial statements and internal

controls.• Tightened definition of “independent” audit committee member.• External auditors to report directly to audit committee.• Prohibitions on certain non-audit services by external auditors.• Tougher penalties for financial statement fraud.



Selected Provisions of NYSE Listing Requirement Propsals (www.nyse.com):

• Require corporate boards to have a majority of independent directors.• Require listed companies to have audit, compensation, and nominating

committees composed entirely of independent directors.• Require nonmanagement directors to meet at regularly scheduled executive

sessions without management.• For a director to be deemed independent, the board must affirmatively determine

that the director has no material relationship with the listed company.• Require listed companies to have an internal audit function.• Require companies to adopt and disclose governance guidelines, codes of

business conduct, and charters for their audit, compensation, and nominatingcommittees.

Selected Provisions of NASDAQ Listing Requirement Proposals (www.nasdaq.com):

• Majority of board members will be independent.• Regular meetings of independent directors in executive session.• Further tightening of definition of “independence.”• Audit committees have sole authority to hire and fire independent auditors and

to approve all non-audit-related services.• Allow one non-independent director to serve on compensation or nomination

committees under certain disclosed circumstances.

Research Questions

The full impact of these changes on the U.S. governance environment remains to be seen —and should provide fertile ground for research. Specifically, the following questions can beexamined:

1. How did the role of the IAF change as a result of new regulations passed in 2002?Has the status of the IAF been elevated? If so, how?

Exhibit 2-7 (Cont.)



2. How do potential audit committee or board members evaluate the strength of theIAF? To what extent does the existence of an effective IAF influence the compositionof a board of directors?

3. Have the new regulations passed in 2002 led to a change in organizations’ controlsystems or governance practices?

4. Has internal audit outsourcing increased in companies where the IAF reports directlyto the audit committee (assumes an audit committee focus on controls and financialreporting)?

5. What role does (should) the IAF play in assessing and reporting on risk managementand control? Is the internal audit function effective in reporting on the “tone at thetop” as part of its function to help assess the quality of internal control?

6. What role does (should) the IAF play in whistleblower protection, a hot line callsystem, or an ethics program?

7. Has the nature of the interaction of the IAF with audit committees changed? If yes,how has it changed? How has the interaction with top management changed?

8. What is the internal auditor’s role in evaluating the effectiveness of risk processesand controls associated with information technology?

9. Are there significant differences in the IAF between companies listed on the NYSEand those listed on other exchanges that have different governance requirements?

10. Are the recommendations for improved internal auditing in the private sector beingcarried over into the public sector? If yes, what are the mechanisms that contributeto the change?

The demands for better governance (e.g., risk assessment and control) are clear, and theyhave come from a variety of sources. Factors such as continuing deficiencies in organizationalaccountability, changes in share ownership patterns, and the legal environment all contributeto the current call for improvement. The next section looks more specifically at the roles oftwo key governance participants — the board of directors and the audit committee — andconsiders an alternative governance structure, the two-tiered model.



IV. The Role of the Board and Audit Committee

Board of Directors

According to the National Association of Corporate Directors (NACD, 1996), the purpose ofthe board is to “oversee the conduct of the company’s business and to direct the affairs ofthe company, but not to manage the business.” NACD’s acronym for the board’s role isNIFO — “nose in, fingers out” — meaning that the directors oversee the organization, butdo not meddle in day-to-day affairs.

TIAA-CREF (2002) states, “The primary purpose of the board of directors is to foster thelong-term success of the corporation consistent with its fiduciary responsibility to theshareholders. TIAA-CREF supports the primary authority of the board in such areas as theselection of the chief executive officer, review and ratification of the corporation’s long-term strategy, [and] assurance of sufficient financial resources and maintenance of financialintegrity…”

Monks and Minow (2001) describe the board of directors as:

The link between the people who provide the capital (the shareholders) and thepeople who use the capital to create value (the managers). This means that boardsare the overlap between the small, powerful group that runs the company and ahuge, diffuse, and relatively powerless group that simply wants the company runwell (p. 184).

Monks and Minow go on to state the major problem:

The single major challenge addressed by corporate governance is how to grantmanagers enormous discretionary power over the conduct of the business whileholding them accountable for the use of that power (p. 185).

Although Monks and Minow wrote their book before the recent corporate debacles of Enronand WorldCom, and before the Sarbannes-Oxley bill, they have successfully identified theneed for greater accountability called for in the legislation. Similar calls for accountabilityhave also occurred in the King report in South Africa and the Cadbury report in the U.K. Weneed to understand those calls for accountability to better visualize the roles of auditors.

The fundamental elements of the board’s role can be characterized as in Exhibit 2-8. Boardactivity often centers on monitoring the CEO, overseeing corporate strategy, and monitoringrisks and controls.



Exhibit 2-8Board Responsibilities

The board’s responsibilities encompass the following general areas:

• Reviewing and approving major strategies of the organization.• Monitoring the CEO and company operations.• Overseeing the organization’s development and implementation of strategy.• Monitoring risks and the organization’s control system.• Monitoring activities and taking actions to ensure the fairness of treatment among

various shareholder groups and other stakeholders.

Selecting, motivating, evaluating, retaining, and possibly firing the CEO may be the board’smost significant responsibility. In recent years, U.S. boards have been more likely to exercisetheir power over the CEO. Many boards are placing more emphasis on CEO successionplanning and more formal evaluation of CEO performance.

The role of the board in overseeing the strategic planning process was the focus of a recentNACD Blue Ribbon Commission (NACD, 2000b). The Commission had two goals — “helpCEOs and boards of all types of companies become more constructively engaged in corporatestrategy, and help them work together more effectively to make sure their companies areestablishing and pursuing winning strategies.” Many view the strategy arena as an iterativeprocess between the board and CEO — with the degree of board involvement in strategydevelopment varying across companies.

The board monitors risks and oversees the organization’s control system. The COSO (1992)internal control framework is frequently used to guide the board’s efforts in this area. Muchof the board work in the area involves discussions with those parties on the “front lines” ofrisk assessment and control, including the internal auditors. In addition, financial-relatedrisks often are viewed as the domain of the audit committee of the board.

Finally, the board has a responsibility to represent the shareholders who have contributedcapital to ensure that the organization is operating in their best interests. For example, boardsare expected to evaluate proposals that would dilute shareholder control or would transfermore responsibility for assets to management without corresponding levels of accountability.



In performing their duties, board members are held to two legal standards, the duty of careand the duty of loyalty. The duty of care requires directors to (NACD, 1996):

• “Act in good faith.• Keep informed.• Attend meetings.• Commit time and attention.• Reasonably believe in basis of their actions.”

The duty of loyalty means (NACD, 1996):

• “Do not use the position [of director] to make personal profit or gain.• The corporation comes first (act in corporation’s best interests).• Confidentiality is essential.”

Given the increased expectations placed on boards in recent years, NACD has performed aseries of governance surveys to monitor trends in board characteristics and activities. Specificinformation is available by contacting the NACD (http://www.nacdonline.org).

In addition, readers should recognize that governance practices vary widely across countries.The range of board practices throughout the world is of interest to the internal audit profession,and The IIA encourages research by authors interested in the nature of organizationalgovernance as it has evolved across the world, particularly in underdeveloped countries.Readers are encouraged to consult the World Bank Web site (http://www.worldbank.org/html/fpd/privatesector/cg/codes.htm) and other online resources for information on specificcountries’ practices.

Audit Committee

A great deal has been written about audit committees over the past few years (e.g.,PricewaterhouseCoopers, 2000). For example, each of the international accounting firmshas issued audit committee guidance, the Blue Ribbon Committee (BRC, 1999) and theNACD Blue Ribbon Commission (2000a) were formed to address audit committee issues,the SEC (1999) has issued new audit committee disclosure rules, the national stock exchangeshave implemented new listing requirements related to audit committees, and the AuditingStandards Board of the AICPA (AICPA, 1999, 2000) has expanded the required discussionsbetween external auditors and audit committees. In the wake of the Enron disaster, attentionon audit committees is expected to continue, and the expectations placed on audit committeesare almost sure to continue to rise.



The role of the audit committee has been described as:

“First among equals” in supporting “responsible financial disclosure and active andparticipatory oversight” (BRC, 1999, p. 7). The Blue Ribbon Committee goes on todescribe the oversight role as “ensuring that quality accounting policies, internalcontrols, and independent and objective outside auditors are in place to deter fraud,anticipate financial risks, and promote accurate, high quality and timely disclosureof financial and other material information to the board, to the public markets, and toshareholders” (p. 20).

Fulfilling “a vital role in corporate governance. The audit committee can be a criticalcomponent in ensuring quality reporting and controls, as well as the properidentification and management of risk” (NACD, 2000a, p. 1).

The three key roles of the audit committee as described by NACD (2000a) and others areportrayed in Exhibit 2-9. Typically, audit committees are charged with monitoring the financialreporting process, overseeing the internal control system, and overseeing the work of theinternal and external auditors.

Exhibit 2-9Audit Committee Responsibilities

Per the NACD Blue Ribbon Commission on Audit Committees (NACD, 2000a) andothers, the audit committee’s responsibilities are to:

Audit Committee

Oversee theInternal Control

System

Monitor the FinancialReporting Process

Oversee the InternalAudit and

Independent PublicAccounting Functions



In the eyes of many, the primary role of the audit committee is to monitor the financialreporting process — with the goal of helping to ensure reliable financial reporting. Per theNACD (2000a), activities in this area include reviewing financial statements and disclosures,assessing the organization’s quality of earnings, asking tough questions of management,and assessing the risk of fraudulent financial reporting.

In terms of overseeing the control system, the NACD (2000a) points to assessing the “tone atthe top” (Treadway 1987), ensuring that organizational risks are assessed and mitigated, andensuring that control weaknesses are addressed by management. NACD recommends thatthe internal control framework developed by COSO (1992) be the basis for audit committeeoversight in this area.

The final area of audit committee responsibility is oversight of the internal and external auditfunctions. In terms of internal audit oversight, audit committee duties should include reviewingthe internal audit charter, receiving internal audit reports, assessing the objectivity of theIAF, and monitoring internal audit staffing issues (NACD, 2000a).

Oversight of the external auditors involves similar activities. Some oversight activities noware expressly required for U.S. public companies, such as discussing certain audit issueswith the external auditor, assessing the independence of the external auditor, and the auditcommittee having the authority to hire/fire the external auditors (e.g., see Carcello et al.,2002).

The academic literature on audit committees is growing rapidly, consistent with the increasingprofessional focus on audit committees. A current literature review paper by DeZoort et al.(2002), classifies the empirical audit committee literature into four areas — audit committeecomposition, authority, resources, and diligence. Among the numerous audit committeeissues examined to date are: (1) audit committee formation or existence and its relation toreporting quality (McMullen, 1996; Wild, 1996), (2) audit committee composition differencesbetween companies with versus without financial statement fraud (e.g., Abbott et al., 2000;Beasley et al., 2000), (3) the association between audit committee characteristics andinteraction with the IAF (Raghunandan et al., 2001), (4) the association between auditcommittee composition and auditor reporting for distressed companies (Carcello and Neal,2000), and (5) factors associated with voluntary audit committee disclosures (Carcello et al.,2002). Collectively, the academic literature suggests clear benefits of having an independent,diligent, and expert audit committee.



Research Questions

Additional research questions related to audit committees include the following:

1. What kind of an information system does an audit committee need to be effective?What role can the IAF play in providing that information?

2. Is there an association between the quality of the IAF and the effectiveness of theaudit committee?

3. Is there a conflict in the duties of audit committees, as presently constituted, regardingreporting relationships? The audit committee is a subcommittee of the board andmay report to a board that could be dominated by management. Does the compositionof the board influence the effectiveness of the audit committee?

4. How does an audit committee meet its external governance needs while operating ina framework that makes it part of a larger body dominated by internal personnel?

5. Most discussions of board activities warn against “micromanagement.” However,many of the internal auditors’ recommendations address needs for improving controls,risk management, information technology security, efficiency of operations, and soforth are clearly intended for management action. How do effective audit committeesmanage the detail often found in internal audit recommendations?

6. Does the increased reporting responsibility of the IAF to the audit committee decreasethe value of the IAF as a management tool?

7. Are audit committees becoming more financially literate, as required by the SECand legislation? How is financial literacy measured? Does the focus on financialliteracy improve or hinder the effective performance of an audit committee and theboard of directors?

8. What level or style of communication is most effective in portraying internal auditinformation to audit committees?

Alternative Governance Structures: The Two-Tiered Governance Structure

The corporate structures found in the Netherlands, France, and Germany differ from thestructure described earlier. They are generally two-tiered structures. This form of governance



separates the board into the supervisory board and the management board. The managementboard, composed solely of insiders, is responsible for the company’s daily business activity.The supervisory board has general oversight functions and is responsible for safeguarding acompany’s overall welfare by reviewing management board activities (Fraser et al., 2000).This system has been commended by some for the separation of the responsibilities of theboard and criticized by others for its opaqueness in the specific responsibilities. On onehand, the two-tiered structure represents some attributes that have been found worthwhile inprevious governance research:

• The supervisory board is independent of management.• The supervisory board is knowledgeable, meets often, and devotes sufficient effort

to be effective.• The supervisory board is powerful (i.e., it has the ability to shut down operations

and to dismiss current management).

On the other hand, the supervisory board differs from a traditional board in that:

• It operates on a near full-time basis.• It violates the general principle of “nose in, fingers out” advocated for good corporate

governance in the U.S. (NACD, 1996).• It is active in directing internal audit activities, thereby creating a potential greater

division of internal audit work for management versus the supervisory board.

Research Questions

Research questions related to the two-tiered system include:

1. How might we measure the effectiveness of single-tier approaches to governanceversus the two-tier structure found in some European and Asian countries?

2. Are organizations with full-time, outside governing structures more effective inprotecting stakeholders? Are there things that we can learn from the two-tiergovernance structure that can be applied to improve the single-tier governancestructure?

3. How does the role of the IAF differ in single-tier versus two-tier governance structures?



V. The Role of the IAF in the Governance Structure

With the organizational governance framework established, we turn more specifically to therole of the IAF within this context. The IIA defines internal auditing as “an independent,objective assurance and consulting activity designed to add value and improve anorganization’s operations. It helps an organization accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectiveness of riskmanagement, control, and governance processes.”

Several common elements appear in this definition and the definition of organizationalgovernance, particularly the elements of assurance, risk, and control. In many ways, aneffective IAF is an important “frontline player” in the two fundamental governance activities— monitoring of risks and providing assurance regarding controls (see Exhibit 2-1). Theinternal auditor’s risk-driven efforts provide critical inputs to other governance participants,including the audit committee and management. In fact, some now describe the IAF as the“eyes and ears” of the audit committee.

Perhaps the best summary of the IAF’s role in governance is that developed by The IIA(http://www.theiia.org):

[Internal auditors’] roles include monitoring, assessing, and analyzing organizationalrisks and controls; and reviewing and confirming information and compliance withpolicies, procedures, and laws. Working in partnership with management, internalauditors provide the board, the audit committee, and executive managementassurance that risks are held at bay and that the organization’s corporategovernance is strong and effective. And, when there is room for improvement anywherewithin the organization, the internal auditors make recommendations for enhancingprocesses, policies, and procedures.

Exhibit 2-10 summarizes the key roles of the IAF. Risk assessment, control assurance, andcompliance work comprise the bulk of internal audit activity, and all three of these elementsmap directly into organizational governance. In addition, internal auditors also may spendconsiderable time on consulting or operational-oriented work, with the objective of enhancingthe organization’s effectiveness or efficiency.



Exhibit 2-10Nature of Internal Audit Activity

Internal auditing is an independent, objective assurance and consulting activity designedto add value and improve an organization’s operations. It helps an organizationaccomplish its objectives by bringing a systematic, disciplined approach to evaluateand improve the effectiveness of risk management, control, and governance processes.(The IIA)

The IAF has historically contributed to an organization’s understanding of risk and controlin a number of diverse ways. For example, internal auditors have performed each of thefollowing functions (although not always in the same organization):

Risk:

• Assess existing risk of audited area and report that assessment to management, theaudit committee, or both.

• Develop a plan to systematically assess risk across the organization.• Lead the risk management activities when a void has occurred within the organization.• Facilitate risk assessment through risk self-assessment techniques.• Evaluate risks associated with new computing developments and stop the project if

risks are not controlled at predetermined acceptable levels.• Assist management in implementing a risk model across the organization.

Roles of Internal Audit

RiskAssessment

ProvidingAssuranceRegardingControls

Compliance Consulting &Operations



Control:

• Test compliance with controls in functional areas. Report findings to management,and if important, to the audit committee.

• Assist management in designing a comprehensive assessment, including testing ofcontrols across the organization.

• Assist management in preparing a report on the effectiveness of internal controls.• Identify significant control deficiencies, including elements of the tone at the top,

and communicate to the audit committee (for areas examined).• Implement computerized testing techniques, e.g., continuous control monitoring

techniques, to monitor effectiveness of controls.• Facilitate the understanding and development of controls within functional areas

through control self-assessment (CSA) techniques.

The overall conclusion of this discussion of organizational governance and internal auditingis that the IAF is a critical part of the governance structure. When the IAF is effective, it cansignificantly enhance the organization’s potential for success.

Research Questions

Research questions include the following:

1. Can we develop a model of an effective and efficient IAF? What are the primaryfactors that lead to positive assessments of the IAF? Does the nature of the IAF varyby key characteristics of an audit committee or other governing structure?

2. Is there any evidence that sourcing the IAF in-house or outsourcing it makes adifference in governance?

3. How can smaller organizations, which may lack the resources for a separate internalaudit department, best implement an internal audit process that will support theirgovernance needs?

4. In many ways the IAF plays an integration role within an organization. For example,internal auditors have leveraged their expertise in both controls and risk to developcontrol self-assessment (CSA) activities and risk self-assessment (RSA) activities. Inother words, internal auditors have filled roles where there are voids in theorganization. Under what circumstances is the IAF most effective in performing an



integrating role? Does the integration role potentially impair the effectiveness ofother internal audit functions?

5. Does the integrating role of internal audit enhance or detract from effectivegovernance? For example, effective CSA and RSA require that the auditor act primarilyas a facilitator and consultant rather than as an assurance function. Is there a potentialconflict here, and if so, can it be managed effectively?

6. What are the relative roles of internal and external audit in contributing to effectivegovernance processes?

7. Is the effectiveness of the IAF associated with the amount of consulting services itprovides? Is the association positive or negative? Who judges the effectiveness ofinternal auditing in most organizations?

8. Is the credibility of the IAF as assessed by the audit committee (or other governingstructure) influenced by the amount of consulting services provided? Is the associationpositive or negative?

Cultural and Industry Factors Affecting Governance Structure and the IAF

A cursory review of internal audit literature reveals that internal auditing is practiced differentlyin various parts of the world and across industries. This raises additional questions:

1. While internal auditing in governmental units embraces the broad definition of internalauditing found in Exhibit 2-11, some governmental IAFs focus only on compliancework, while others focus on evaluating economy and efficiency of operations. Whydoes this difference exist? What factors are associated with this difference?

2. Does the nature of the IAF reporting relationship vary with the nature of theorganization, the power of the audit committee, or across different cultures? Howdoes the nature of the reporting relationship affect the size, structure, and nature ofservices performed by the IAF? For example, how does internal audit in developingcountries differ from internal audit in economically advanced countries? Does theIAF go through specific development stages that mirror the economic development?

3. How does the IAF differ in companies with distinctively different governanceconstraints and objectives? Can the nature of the IAF be modeled across differentgovernance and organizational forms, as well as across different industries?



4. What are the primary drivers of the nature of the IAF? For example, is governancemore of a driver than industry? Is the nature of governance and the IAF different inorganizations or industries that are heavily regulated? How do they differ? What arethe drivers of the differences?

5. We also know that the IAF operates in governance structures that are evolving indeveloping countries to meet different needs than those met by the governancestructure in more developed countries. What are the major drivers of these differences?Are there cultural or societal values that drive the nature of internal audit practice, oris it primarily the attributes of the governance structure?

VI. Research on the IAF and Governance

The IAF represents a unique research setting for at least four important reasons. First, asnoted above, the IAF often serves parties integrally involved in governance processes, suchas the board of directors, audit committee, external auditor, and senior management. However,the IAF also serves and adds value to those who are governed, such as management andindividual organizational units such as treasury, information technology management, andoperations. As a result, IAFs are often called upon to serve two masters: those primarilyresponsible for governance and those being governed. This unique relationship raisesinteresting research opportunities for those interested in internal audit research and theimportant role the IAF plays in adding value to governance processes.

Second, many activities performed by IAFs can be incorporated into an organization’s controlstructure. For example, the IAF often performs significant monitoring activities that couldbe incorporated into an organization’s control processes. This often raises questions aboutthe proper role of the IAF — serving as a direct part of the control system versus an assurorregarding the effectiveness of controls.

Third, the IAF may be sourced internally within the organization or may be outsourced to athird-party. Outsourcing is not unique. However, internal audit outsourcing is unique in thatthe major purveyors of such services are the external audit firms. In addition, outsourcing isunique in the sense that a major part of the governance structure is not part of the organization.It remains to be seen whether outsourcing creates additional independence and improvesthe effectiveness of the overall governance process, or whether the broad organizationalview developed by sourcing internal audit internally enhances governance.



Fourth, the expansion of the IAF to provide consulting services in addition to assuranceservices may be seen by some as potentially jeopardizing its value as an assuror andindependent analyst of the effectiveness of the governance process. The concern often raisedis not dissimilar from that of the external auditor (i.e., does the provision of any consultativeactivity impair the value of the assurance process?). These various governance and structuralfactors can be seen in Exhibit 2-11.

Exhibit 2-11Potential Structural Conflicts of Internal Audit and Governance

VII. Summary

Recent research has shown the IAF to be an integral part of effective governance processes.However, the research on organizational governance and the broader aspects of effectiveorganizational governance is still emerging. How important is the role of the IAF ingovernance? Does that role vary across cultures? Does it matter whether the IAF is housedwithin the organization or if an external provider provides the services? Do we have ameasure of effective governance that can be applied across countries, cultures, industries, orgovernmental entities that would help us better predict attributes of effective governance?The opportunities for research are rich. The following table summarizes the research questionsposed throughout the chapter. We hope that this discussion will prompt additional researchon the IAF and governance.

Consulting

Assurance Assurance

Board and AuditCommittee

Management Internal Audit



VIII. Appendix I: Chapter Research Questions

Organizational Governance Defined

• Are there parameters of governance that may differ across cultures or across nationsthat are not considered in the above model?

• Can we develop measures of effective governance that can be applied across cultures,countries, and industries?

• Can we identify the primary attributes of effective governance and its effect onvarious performance measures such as stock price movements or governmentalefficiency?

• What is the impact of regulation on the nature of governance processes and the roleof the IAF in those processes?

• Various reports, e.g., Cadbury, have called for governance reports on the effectivenessof risk management. Do mandated public reports improve governance? Has thenature of the IAF changed in countries that mandate specific governance reports?How does organizational governance differ in countries that have mandatedgovernance reports from those that have not issued similar mandates?

• Recent legislation in the U.S. has called for reports on the effectiveness of internalcontrol as part of a normal reporting process on the effectiveness of governance.What models of internal control reporting best contribute to the effectiveness oforganizational governance?

• What are the major determinants of an effective governance system, and how dothese determinants vary across types of organizations or cultures? What culturaldifferences most affect the nature of organizational governance?

• Many organizations are multinational. Are governance processes, including processesfor risk analysis and control, different in multinational companies than they are forcompanies that are domiciled within a unique culture (or country)? How do theydiffer and what works best?



• Are there significant differences in the identification of, and accountability to, variousstakeholders that may vary by type of organization, culture, organizational objectives,and so forth? How do such differences affect the nature of organizational governance?

• What is the demand for governance reports? What kind of a report would meet theusers’ needs for governance and accountability? Can we develop such a modelconceptually or can we test one empirically through experimental markets research?How would these reports differ from evolving reports on internal control?

• Under what circumstances can an audit committee or other governing structure usethe work of an internal auditor to provide assurances on governance to outside parties,e.g., shareholders? Under what circumstances would internal auditors have sufficientcredibility to add assurances to reports on effective governance?

• How does an organization most effectively communicate information about theeffectiveness of its governance processes to various stakeholders? Should such reportsbe prepared by independent assurance functions (independent public accountingfirms or internal audit functions), and, if not, are such reports improved by the additionof an assurance function? Does the nature of such assurances differ based on whetherthe internal audit function is outsourced to an independent outside accounting firm,or whether the internal audit function is housed within the organization?

Parties Involved in Organizational Governance

• Are there inherent conflicts in reporting responsibilities when internal auditors reportto both the audit committee and to various levels of management?

• Are there differences in the nature of services performed and the perceived value ofservices that vary with internal audit’s primary reporting responsibility?

• What kinds of safeguards need to be built into the IAF to ensure that internal auditingwill meet its external governance responsibilities?

• To what extent are internal auditors involved in auditing the effectiveness of thegovernance structure of the organization? Does the internal audit role systematicallyvary with organizational characteristics?

• Does an internal audit emphasis on meeting the needs of the audit committee lead toan increase in outsourcing of the internal audit function?



• How do organizations assess the value of various internal audit activities?

• How have budgetary control and resources expended on internal audit changedwith the increased governance requirements of stock exchanges and other regulatoryorganizations?

• How does the nature of internal audit activities differ when the IAF’s primary reportingresponsibility is to senior management as opposed to the audit committee?

• Is there an ideal reporting relationship for the IAF? What are the parameters of theideal reporting relationship, and what are the primary determinants of the idealreporting relationship?

Monitoring of Risks and Controls

• What role should the IAF play in risk management? How do we determine the optimalrisk management role for the IAF within the governance structure?

• Under what circumstances can management use the work of an internal auditor toprovide assurances on risk or control to outside parties, e.g., corporate trading partnersusing e-commerce or joint ventures?

• Internal auditors have often been viewed as control experts. Under what circumstanceswould internal auditors have sufficient independence and credibility to provide reportsto external parties on the effectiveness of internal control? Is there a difference inwhether the IAF is outsourced or in-house?

• What role should the IAF play in control self-assessment and control assessment?How do we determine the optimal role for the IAF within the governance structureregarding effective control?

• An important role of the IAF as part of a control system is effective monitoring.What is “effective monitoring”? What are the conflicts between effective monitoringand the provision of other internal audit services such as control self-assessment,risk self-assessment, or providing recommendations to improve operatingeffectiveness?



Goals and Accountability

• Is the existence of an effective IAF associated with superior organizationalperformance? If so, are there objective measures of internal audit effectiveness?

• Is the existence of an effective IAF associated with reduced incidence of controlfailures? If so, which types of control failures?

• What type of internal audit structure enhances the accountability of governmentalentities?

• How can the internal audit function best increase accountability to variousstakeholders?

• Do organizations with more specific quantitative goals/objectives perform betterthan those with less measurable goals? What role does internal audit play in helpingdefine and assess attainment of measurable objectives?

Groups Calling for Improved Governance

• How did the role of the IAF change as a result of new regulations passed in 2002?Has the status of the IAF been elevated? If so, how?

• How do potential audit committee or board members evaluate the strength of theIAF? To what extent does the existence of an effective IAF influence the compositionof a board of directors?

• Have the new regulations passed in 2002 led to a change in organizations’ controlsystems or governance practices?

• Has internal audit outsourcing increased in companies where the IAF reports directlyto the audit committee (assumes an audit committee focus on controls and financialreporting)?

• What role does (should) the IAF play in assessing and reporting on risk managementand control? Is the internal audit function effective in reporting on the “tone at thetop” as part of its function to help assess the quality of internal control?



• What role does (should) the IAF play in whistleblower protection, a hot line callsystem, or an ethics program?

• Has the nature of the interaction of the IAF with audit committees changed? If yes,how has it changed? How has the interaction with top management changed?

• What is the internal auditor’s role in evaluating the effectiveness of risk processesand controls associated with information technology?

• Are there significant differences in the IAF between companies listed on the NYSEand those listed on other exchanges that have different governance requirements?

• Are the recommendations for improved internal auditing in the private sector beingcarried over into the public sector? If yes, what are the mechanisms that contributeto the change?

Audit Committees

• What kind of an information system does an audit committee need to be effective?What role can the IAF play in providing that information?

• Is there an association between the quality of the IAF and the effectiveness of theaudit committee?

• Is there a conflict in the duties of audit committees, as presently constituted, regardingreporting relationships? The audit committee is a subcommittee of the board andmay report to a board that could be dominated by management. Does the compositionof the board influence the effectiveness of the audit committee?

• How does an audit committee meet its external governance needs while operating ina framework that makes it part of a larger body dominated by internal personnel?

• Most discussions of board activities warn against “micromanagement.” However,many of the internal auditors’ recommendations address needs for improving controls,risk management, information technology security, efficiency of operations, and soforth are clearly intended for management action. How do effective audit committeesmanage the detail often found in internal audit recommendations?



• Does the increased reporting responsibility of the IAF to the audit committee decreasethe value of the IAF as a management tool?

• Are audit committees becoming more financially literate, as required by the SECand legislation? How is financial literacy measured? Does the focus on financialliteracy improve or hinder the effective performance of an audit committee and theboard of directors?

• What level or style of communication is most effective in portraying internal auditinformation to audit committees?

An Alternative Structure: The Two-Tiered Governance Structure

• How might we measure the effectiveness of single-tier approaches to governanceversus the two-tier structure found in some European and Asian countries?

• Are organizations with full-time, outside governing structures more effective inprotecting stakeholders? Are there things that we can learn from the two-tiergovernance structure that can be applied to improve the single-tier governancestructure?

• How does the role of the IAF differ in single-tier versus two-tier governance structures?

The Role of the IAF in the Governance Structure

• Can we develop a model of an effective and efficient IAF? What are the primaryfactors that lead to positive assessments of the IAF? Does the nature of the IAF varyby key characteristics of an audit committee or other governing structure?

• Is there any evidence that sourcing the IAF in-house or outsourcing it makes adifference in governance?

• How can smaller organizations, which may lack the resources for a separate internalaudit department, best implement an internal audit process that will support theirgovernance needs?

• In many ways the IAF plays an integration role within an organization. For example,internal auditors have leveraged their expertise in both controls and risk to developcontrol self-assessment (CSA) activities and risk self-assessment (RSA) activities. In



other words, internal auditors have filled roles where there are voids in theorganization. Under what circumstances is the IAF most effective in performing anintegrating role? Does the integration role potentially impair the effectiveness ofother internal audit functions?

• Does the integrating role of internal audit enhance or detract from effectivegovernance? For example, effective CSA and RSA require that the auditor act primarilyas a facilitator and consultant rather than as an assurance function. Is there a potentialconflict here, and if so, can it be managed effectively?

• What are the relative roles of internal and external audit in contributing to effectivegovernance processes?

• Is the effectiveness of the IAF associated with the amount of consulting services itprovides? Is the association positive or negative? Who judges the effectiveness ofinternal auditing in most organizations?

• Is the credibility of the IAF as assessed by the audit committee (or other governingstructure) influenced by the amount of consulting services provided? Is the associationpositive or negative?

Cultural and Industry Factors Affecting Governance Structure and the IAF

• While internal auditing in governmental units embraces the broad definition of internalauditing found in Exhibit 2-11, some governmental IAFs focus only on compliancework, while others focus on evaluating economy and efficiency of operations. Whydoes this difference exist? What factors are associated with this difference?

• Does the nature of the IAF reporting relationship vary with the nature of theorganization, the power of the audit committee, or across different cultures? Howdoes the nature of the reporting relationship affect the size, structure, and nature ofservices performed by the IAF? For example, how does internal audit in developingcountries differ from internal audit in economically advanced countries? Does theIAF go through specific development stages that mirror the economic development?

• How does the IAF differ in companies with distinctively different governanceconstraints and objectives? Can the nature of the IAF be modeled across differentgovernance and organizational forms, as well as across different industries?



• What are the primary drivers of the nature of the IAF? For example, is governancemore of a driver than industry? Is the nature of governance and the IAF different inorganizations or industries that are heavily regulated? How do they differ? What arethe drivers of the differences?

• We also know that the IAF operates in governance structures that are evolving indeveloping countries to meet different needs than those met by the governancestructure in more developed countries. What are the major drivers of these differences?Are there cultural or societal values that drive the nature of internal audit practice, oris it primarily the attributes of the governance structure?



Footnote

1Although some governmental institutions have been active in calling for increased andimproved corporate governance, Monks and Minow (2001) point out that recent trendshave also worked to diffuse initiatives for better governance. For example, they point outthat pension funds, insurance companies, and bank trust companies almost invariably votefor management’s positions on proxy issues, thus even further diffusing the power of thosecalling for greater accountability and more checks on management’s authority and power.



References

Abbott, L.J., Y. Park, and S. Parker, “The Effects of Audit Committee Activity andIndependence on Corporate Fraud,” Managerial Finance 26: 2000, pp. 55-67.

American Institute of Certified Public Accountants (AICPA). SAS No. 89. Audit Adjustments(New York: AICPA, 1999).

American Institute of Certified Public Accountants (AICPA). SAS No. 90. Audit CommitteeCommunications (New York: AICPA, 2000).

Beasley, M.S., “An Empirical Analysis of the Relation Between the Board of DirectorComposition and Financial Statement Fraud,” The Accounting Review 71(4): 1996, pp.443-465.

Beasley, M.S., J.V. Carcello, and D.R. Hermanson, Fraudulent Financial Reporting: 1987 –1997, An Analysis of U.S. Public Companies, Committee of Sponsoring Organizations(COSO), 1999.

Beasley, M.S., J.V. Carcello, D.R. Hermanson, and P.D. Lapides, “Fraudulent FinancialReporting: Consideration of Industry Traits and Corporate Governance Mechanisms,”Accounting Horizons 14 (December): 2000, pp. 441-454.

Blue Ribbon Committee (BRC), Report and Recommendations of the Blue Ribbon Committeeon Improving the Effectiveness of Corporate Audit Committees (New York, NY: NewYork Stock Exchange and National Association of Securities Dealers, 1999).

Cadbury Committee, Report of the Committee on the Financial Aspects of CorporateGovernance (London: Professional Publishing Ltd., 1992).

California Public Employees’ Retirement System (CalPERS), Corporate Governance CorePrinciples & Guidelines (Sacramento, CA: CalPERS, 1998).

California Public Employees’ Retirement System (CalPERS), Global Proxy Voting Principles(Sacramento, CA: CalPERS, 2001).

Carcello, J.V., D.R. Hermanson, and T.L. Neal, “Disclosures in Audit Committee Chartersand Reports,” Accounting Horizons (December, Forthcoming): 2002.



Carcello, J.V., and T.L. Neal, “Audit Committee Composition and Auditor Reporting,” TheAccounting Review 75 (October): 2000, pp. 453-467.

Committee of Sponsoring Organizations (COSO), Internal Control – Integrated Framework(New York: COSO, 1992).

Corporate Governance Center (CGC), 21st Century Governance and Financial ReportingPrinciples (Kennesaw, GA: Kennesaw State University, 2002).

Dechow, P.M., R.G. Sloan, and A.P. Sweeney, “Causes and Consequences of EarningsManipulation: An Analysis of Firms Subject to Enforcement Actions by the SEC,”Contemporary Accounting Research 13 (Spring): 1996, pp. 1-36.

DeZoort, F.T., D.R. Hermanson, D.S. Archambeault, and S. Reed, “Audit CommitteeEffectiveness: A Synthesis of the Empirical Audit Committee Literature,” Journal ofAccounting Literature (Forthcoming): 2002.

Fraser, I., W. Henry, and P. Wallage, The Future of Corporate Governance: Insights from theNetherlands (Edinburgh, Scotland: The Institute of Chartered Accountants of Scotland,2000).

Hampel Committee, Committee on Corporate Governance: Final Report, 1998.

The Institute of Internal Auditors, Recommendations for Improving Corporate Governance:Presented to the New York Stock Exchange (Altamonte Springs, FL: The Institute ofInternal Auditors, 2002).

KPMG, Corporate Governance in Europe (KPMG, 2001/2002).

Levitt, A., An Essential Next Step in the Evolution of Corporate Governance. Speech to theAudit Committee Symposium, June 29, 1999.

McMullen, D.A., “Audit Committee Performance: An Investigation of the ConsequencesAssociated with Audit Committees,” Auditing: A Journal of Practice & Theory 15 (Spring):1996, pp. 87-103.

McMullen, D.A., and K. Raghunandan, “Enhancing Audit Committee Effectiveness,” Journalof Accountancy: 1996, pp. 79-81.



Monks, R., and N. Minow, Corporate Governance: Second Edition (Malden, MA: BlackwellPublishers, 2001).

National Association of Corporate Directors (NACD), The Role of the Board in the PublicCompany (Washington, DC: NACD, 1996).

National Association of Corporate Directors (NACD), Report of the NACD Blue RibbonCommission on Audit Committees: A Practical Guide (Washington, DC: NACD, 2000a).

National Association of Corporate Directors (NACD), Report of the NACD Blue RibbonCommission on the Role of the Board in Corporate Strategy (Washington, DC: NACD,2000b).

National Association of Corporate Directors (NACD), Report of the NACD Blue RibbonCommission on Director Professionalism (Washington, DC: NACD, 2001).

Organisation for Economic Co-operation and Development (OECD), OECD Principles ofCorporate Governance (1999. http://www.oecd.org).

PricewaterhouseCoopers, Audit Committee Effectiveness – What Works Best. 2nd Edition(Altamonte Springs, FL: The Institute of Internal Auditors Research Foundation, 2000).

Raghunandan, K., W.J. Read, and D.V. Rama, “Audit Committee Composition, ‘GreyDirectors,’ and Interaction with Internal Auditing,” Accounting Horizons (June): 2001,pp. 105-118.

Securities and Exchange Commission (SEC), Final Rule: Audit Committee Disclosure. ReleaseNo. 34-42266. (Washington, DC: SEC, 1999).

TIAA-CREF, Policy Statement on Corporate Governance (2002. http://www.tiaa-cref.org/libra/governance/).

Treadway Commission. Report of the National Commission on Fraudulent FinancialReporting (Washington, DC: National Commission on Fraudulent Financial Reporting,1987).

Wild, J.J., “The Audit Committee and Earnings Quality,” Journal of Accounting, Auditing &Finance 11: 1996, pp. 247-276.